Uber Hacked: Its Security is ‘Awful’ and ‘Weak’

Fake taxi-cum-takeout service Uber was fully pwned this week. The company says it’s “responding to a cybersecurity incident,” whatever that means.

This is no ordinary prank. The hacker appears to have total control of business critical systems such as the public cloud accounts at Amazon and Google, plus email, Slack, customer data, source code, finance and bug bounty systems.

It’s bad—really bad. In today’s SB Blogwatch, we dissect a train wreck.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Déjà vu.

People Prefer Proper Taxis

What’s the craic? Kate Conger and Kevin Roose report—“Uber Investigating Breach of Its Computer Systems”:

The company had weak security
The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers. … Uber employees received a [Slack] message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

The person who claimed responsibility for the hack told [us] he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.

The person appeared to have access to Uber source code, email and other internal systems. [He] said that he was 18 years old [and that] he had broken into Uber’s systems because the company had weak security.

And then what? Let’s turn to Carly Page—“Uber investigating cybersecurity incident”:

Not the first time
The attacker found high privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface, and the company’s EDR portal. … The attacker is also believed to have gained administrative access to Uber’s cloud services including on Amazon Web Services … and Google Cloud … where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.

The threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program. … Chris Evans, HackerOne CISO … said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”.

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000. … Uber made the payment to the hackers but kept the news of the breach quiet.

How did staff react? Faiz Siddiqui and Joseph Menn chatted to the perp—“Uber breached by hacker”:

SpongeBob character Mr. Krabs
In a subsequent interview … the alleged hacker told [us] they had breached the company for fun and might leak source code “in a few months.” The person described Uber security as “awful.”

Uber employees were caught off guard by the sudden disruption to their workday, and some initially reacted to the alarming messages as if they were a joke. … The hacker’s ominous posts were met with reactions … depicting the SpongeBob character Mr. Krabs, the popular “It’s Happening” GIF and queries as to whether the situation was a prank.

But surely Uber uses 2FA at least? Yes, but weakly—so says Instacart’s Matt Sullivan:

You need to start banging on pots and pans
MFA that is not based on Webauthn … should be considered dangerously insecure. Uber almost certainly enforces MFA for remote access: … Screenshots on Twitter appear to confirm … it was successfully provided during the authentication step.

As we saw in the case of the 0ktapus campaign, a sufficiently-skilled attacker will simply proxy the MFA calls to the real identity provider in real-time. … Webauthn, however, binds the authenticator to the domain and port, and requires https. … If a user gets phished, they cannot be compromised.

So, if your workplace is letting you authenticate with SMS codes, push notifications to an app, or 6-digit codes generated by an authenticator app/hardware device, you need to start banging on pots and pans up your reporting chain to get your security team the support they need to make Webauthn + FIDO2 hardware tokens or Webauthn + Mac Touch ID happen.

It’s bad enough the scrote was able to get the initial access, but the ease with which he was able to escalate is horrific. Here’s mrex’s summary:

Wow. Socially engineered credentials … then found PowerShell scripts with hardcoded admin credentials to their … secrets manager. Ooof.

What a mess. But The Oracle of Uncomfortable Truths isn’t surprised:

Uber’s most successful business line is overpriced food delivery service. This from a company that is so directionless and overreaching that they had (and may still have) aspirations to become an automated vehicle manufacturer. They still have yet to achieve sustainability with ridesharing.

This is the Silicon Valley “disruptor,” fake-it-till-you-make-it mindset on steroids. Hardly surprising that IT security got short shrift.

Luck plays a part. Cederic notes how fortunate Uber is:

It sounds like they’re lucky someone in it for fun and fame has done this, or … they’d have had their bank accounts stripped by now. Which they deserve: Admin credentials in a PowerShell script?

Wait. Uber “deserves” it? Kevin Reed warns against Schadenfreude:

This looks bad. What’s worse is if you had your data in Uber, there’s high chance … people have access to it. Say, if they know your email, they may then know where you live.

Meanwhile, here’s our old mate Marcus Hutchins—@MalwareTechBlog—after hours:

Tracking breaches sure is easy when the hackers just dump all the proof to Twitter and tell you exactly how they got in. Shame they had to do it after market close. 😂

And Finally:

Lest we forget

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi